Ruoyu Wu,Xinwen Zhang,Gail‐Joon Ahn,Hadi Sharifi,Haiyong Xie

IF: 56.9

2013-01-01

Science

Abstract:Organizations and enterprises have been outsourcing their computation, storage, and workflows to Infrastructure-as-a-Service (IaaS) based cloud platforms. The heterogeneity and high diversity of IaaS cloud environment demand a comprehensive and finegrained access control mechanism, in order to meet dynamic, extensible, and highly configurable security requirements of these cloud consumers. However, existing security mechanisms provided by IaaS cloud providers do not satisfy these requirements. To address such an emergent demand, we propose a new cloud service called access control as a service (ACaaS), a service-oriented architecture in cloud to support multiple access control models, with the spirit of pluggable access control modules in modern operating systems. As a proof-of-concept reference prototype, we design and implement ACaaSRBAC to provide role-based access control (RBAC) for Amazon Web Services (AWS), where cloud customers can easily integrate the service into enterprise applications in order to extend RBAC policy enforcement in AWS. We describe challenges and lessons in implementing ACaaSRBAC, demonstrate how this service can be seamlessly integrated with enterprise cloud applications, and discuss evaluation results.

Fangbo Cai,Nafei Zhu,Jingsha He,Pengyu Mu,Wenxin Li,Yi Yu

DOI: https://doi.org/10.1007/s10586-018-1850-7

2018-01-01

Cluster Computing

Abstract:Access control is an important measure for the protection of information and system resources to prevent illegitimate users from getting access to protected objects and legitimate users from attempting to access the objects in ways that exceed what they are allowed. The restriction placed on access from a subject to an object is determined by the access policy. With the rapid development of cloud computing, cloud security has increasingly become a common concern and should be dealt with seriously. In this paper, we survey access control models and policies in different application scenarios, especially for cloud computing, by following the development of the internet as the main line and by examining different network environments and user requirements. Our focus in the survey is on the relationships among different models and technologies along with the application scenarios as well as the pros and cons of each model. Special attention will be placed on access control for cloud computing, which is reflected in the summaries of the access control models and methods. We also identify some emerging issues of access control and point out some future research directions for cloud computing.

Ruoyu Wu,Xinwen Zhang,Gail-Joon Ahn,Hadi Sharifi,Haiyong Xie

DOI: https://doi.org/10.1109/SocialCom.2013.66

2013-01-01

Abstract:Organizations and enterprises have been outsourcing their computation, storage, and workflows to Infrastructure-as-a-Service (IaaS) based cloud platforms. The heterogeneity and high diversity of IaaS cloud environment demand a comprehensive and fine-grained access control mechanism, in order to meet dynamic, extensible, and highly configurable security requirements of these cloud consumers. However, existing security mechanisms provided by IaaS cloud providers do not satisfy these requirements. To address such an emergent demand, we propose a new cloud service called access control as a service (ACaaS), a service-oriented architecture in cloud to support multiple access control models, with the spirit of plug gable access control modules in modern operating systems. As a proof-of-concept reference prototype, we design and implement ACaaS_RBAC to provide role-based access control (RBAC) for Amazon Web Services (AWS), where cloud customers can easily integrate the service into enterprise applications in order to extend RBAC policy enforcement in AWS.

Guo-yuan LIN,Shan HE,Hao HUANG,Ji-yi WU,Wei CHEN

2012-01-01

Abstract:In view of the current popular cloud computing technology,some security problems were analyzed.Based on BLP(Bell-LaPadula) model and Biba model,using the access control technology based on behavior to dynamic adjusting scope of subject's visit,it put forward the CCACSM ( cloud omputing access control security model).The model not only guarantees the cloud computing environment information privacy and integrity,and makes cloud computing environment with considerable flexibility and practical.At last,it gives the model's part,safety justice and realization process.

Chao Zhou,Bo Li

DOI: https://doi.org/10.1109/UCC.2014.139

2014-01-01

Abstract:Cloud computing, as an emerging computing paradigm, greatly facilitates resource sharing and enables providing computing power as services over the Internet. However, it also brings new challenges for security and access control, especially in IaaS clouds. The introduction of virtualization layer increases new security risks which should be restricted and confined by more stringent access control techniques. In this paper, we propose a hybrid access control framework, named iHAC, which combines the advantages of both Role-based Access Control (RBAC) and Type Enforcement (TE) model to enable unified access control and authorization for IaaS clouds. A permission transition model is provided to dynamically assign permission to virtual machines. A VMM-based access control mechanism is designed to confine the VM's behaviors in a fine-grained manner. Ihac is implemented and evaluated in iVIC platform. The experimental results show that our proposed framework is effective and efficient.

bo li,jianxin li,lu liu,chao zhou

DOI: https://doi.org/10.1002/sec.1216

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:Cloud computing, as an emerging computing paradigm, greatly facilitates resource sharing and enables providing computing power as services over the Internet. However, it also brings new challenges for security and access control, especially in infrastructure as a service clouds. The introduction of virtualization layer increases new security risks, which should be restricted and confined by more stringent access control techniques. In this paper, we propose a flexible and fine-grained access control framework, named IaaS-oriented Hybrid Access Control (iHAC), which combines the advantages of both the role-based access control and type enforcement model. We consider access control issues from the perspective of virtual machines. A permission transition model is designed to dynamically assign permissions to virtual machines. A Virtual Machine Monitor (VMM)-based access control mechanism is presented to confine the virtual machine's behaviors in a fine-grained manner. A VMM-enabled network access control approach is proposed to regulate the communication among virtual machines. iHAC is successfully implemented in the Internet based Virtual Computing Infrastructure (iVIC) platform, and several experiments are conducted to evaluate its effectiveness and efficiency. The results show that iHAC can make correct access control decisions with low performance overhead. Copyright (c) 2015John Wiley & Sons, Ltd.

Xiaoning Wang,Haili Xiao,Shasha Lu

DOI: https://doi.org/10.11871/j.issn.1674-9480.2014.05.002

2014-01-01

Abstract:To address the problem of access control in Scientiifc Computing Cloud Platform, this paper proposes an access control model CAQF (Clusters, Applications, Queues and Files), which is suitable for scientiifc computing with varieties of virtualized and layered resources. This paper implements CAQF model based on SCE, which is a middleware in Scientiifc Computing Cloud Platform. In CAQF model, we analyze resource characteristics and relationships between resources in different layers, and defined flexible access control policies. CAFQ model is demonstrated to be effective for requirements including cluster maintenance, dedicated queues or applications set, and technique supports.

Zhuo Tang,Juan Wei,Ahmed Sallam,Kenli Li,Ruixuan Li

DOI: https://doi.org/10.1007/978-3-642-30767-6_24

2012-01-01

Abstract:Access Control is an important component of Cloud Computing; specially, User access control management; however, Access Control in Cloud environment is different from traditional access environment and using general access control model can't cover all entities within Cloud Computing, noting that Cloud environment includes different entities such as data owner, end user, and service provider. In this paper, we propose a new access control based on Role-based access control (RBAC) model. This model includes two kind of roles, user role (UR) and owner role (OR); such that, Users get credential from owners to communicate with service provider and to get access permissions of resources. We also discuss the aspects of user access control management, such as authentication, privilege management, and deprovisioning. Moreover, we use administrative scope to update hierarchy when there is a role added or revoked to simplify the user access control management. By applying the model in Cloud environment the results shows that it can reduce the security problems to two classes in the RT [←,∩] role-based trust-management language with a test-paper system.

Yu-Ding WANG,Jia-Hai YANG,Cong XU,Xiao LING,Yang YANG

DOI: https://doi.org/10.13328/j.cnki.jos.004820

2015-01-01

Abstract:With the intensive and large scale development of cloud computing, security becomes one of the most important problems. As an important part of security domain, access control technique is used to limit users' capability and scope to access data and ensure the information resources not to be used and accessed illegally. This paper focuses on the state-of-the-art research of access control technology in cloud computing environment. First, it briefly introduces access control theory, and discusses the access control framework in cloud computing environment. Then, it thoroughly surveys the access control problems in cloud computing environment from three aspects including cloud access control model, cloud access control based on ABE (attribute-based encryption) cryptosystem, and multi-tenant and virtualization access control in cloud. In addition, it probes the best current practices of access control technologies within the major cloud service providers and open source cloud platforms. Finally, it summarizes the problems in the current research and prospects the development of future research.

Wenchang Shi,Zhiyu Wang,Ying Huang

DOI: https://doi.org/10.13245/j.hust.160318

2016-01-01

Abstract:Aimed at the needs of data isolation and data sharing between tenants in the IaaS (infra-structure as a service)clouds,an access control model,the MTIAC (multi-tenancy IaaS access con-trol)model,was proposed.MTIAC focuses on three kinds of common access operations in the IaaS environment,which are hypervisor authorization,the allocation of resources to virtual machines,and the communication between virtual machines.The discretionary access control policies of MTIAC al-low administrators to define label sets and conflicting label sets,as well as to assign these labels to workloads.The mandatory access control policies of MTIAC assures that no conflicting workloads will run on the same host machine,while non-conflicting virtual machines can share data in a con-trolled way.MTIAC updates both subjects′and objects′relevant attributes after the authorized opera-tions have been successfully enforced,in order to achieve safe transitions of status.Finally,the trus-ted virtual datacenter (TVDc)technology example illustrates the availability of MTIAC.

Yan Danfeng,Yang Fangchun

2011-01-01

China Communications

Abstract:Security is a key problem for the development of Cloud Computing. A common service security architecture is a basic abstract to support security research work. The authorization ability in the service security faces more complex and variable users and environment. Based on the multidimensional views, the service security architecture is described on three dimensions of service security requirement integrating security attributes and service layers. An attribute-based dynamic access control model is presented to detail the relationships among subjects, objects, roles, attributes, context and extra factors further. The model uses dynamic control policies to support the multiple roles and flexible authority. At last, access control and policies execution mechanism were studied as the implementation suggestion.

Wenhui Wang,Jing Han,Meina Song,Xiaohui Wang

DOI: https://doi.org/10.1109/icpca.2011.6106526

2011-01-01

Abstract:Today, the problem of trusting cloud computing is a paramount concern for most enterprises. Whether user behavior is trusted and how to evaluate user's behavior trust are important research contents in cloud computing. This paper suggests an adaptive access algorithm by introducing the trust into cloud computing to decide the access control to the resources using an improved RBAC technique to solve more complex and difficult problems in the cloud computing environment. And the proposed model determines dynamically security level and access control for the common resources. Therefore, it is supposed to provide appropriate security services according to the dynamic changes of the common resources. This access control model bases on trust determines whether the user has the right to get access to the resource by dynamically authorizing. And this mechanism can control the user's malicious behavior effectively.

Xiao-Yong Li,Yong Shi,Yu Guo,Wei Ma

DOI: https://doi.org/10.1109/cise.2010.5677061

2010-01-01

Abstract:Though cloud computing has many advantages, it still faces a big challenge of security and privacy problem. This problem is also an obstacle to cloud computing since no one is willing to run his businesses in facilities he has no control over it. Moreover, since cloud computing is a multi-tenancy IT service mode, there should be a capability to compartmentalize different customers in cloud facilities; therefore, security duty separation between CSP and customers must be supported in cloud. However, this security duty separation is not common in traditional security mechanisms. Multi-tenancy based access control model (MTACM) was designed to embed the security duty separation principle in cloud; it was a two granule level access control mechanism, one was tenant granule for CSP to compartmentalize different customers, the other was application granule for customers to control the access to their own applications. MTACM was technically and practically feasible. A prototype introduced in this paper showed that MTACM has a good performance.

Chao-sheng FENG,Zhi-guang QIN,Ding YUAN,Yu QING

DOI: https://doi.org/10.3969/j.issn.0372-2112.2015.02.017

2015-01-01

Abstract:The loss of on-board domain and appearance of multi-tenant context bring some new problems and challenges to access control .In this paper ,these problems are listed and the reasons are analyzed first .And then ,aiming at these problems ,the corresponding solutions and techniques are introduced in terms of identity provision ,authentication ,authorization ,identity federation and single sign-on .Next ,latest works about access control of cloud computing are reviewed in terms of access control models ,at-tribute based access control of cipher text ,and access control of outsourcing data .At last ,the trend of study on access control of cloud computing is analyzed and predicted .

Lin Guoyuan,Wang Danru,Bie Yuyu,Lei Min

DOI: https://doi.org/10.1109/cc.2014.6827577

2014-01-01

China Communications

Abstract:As a new computing mode, cloud computing can provide users with virtualized and scalable web services, which faced with serious security challenges, however. Access control is one of the most important measures to ensure the security of cloud computing. But applying traditional access control model into the Cloud directly could not solve the uncertainty and vulnerability caused by the open conditions of cloud computing. In cloud computing environment, only when the security and reliability of both interaction parties are ensured, data security can be effectively guaranteed during interactions between users and the Cloud. Therefore, building a mutual trust relationship between users and cloud platform is the key to implement new kinds of access control method in cloud computing environment. Combining with Trust Management(TM), a mutual trust based access control (MTBAC) model is proposed in this paper. MTBAC model take both user's behavior trust and cloud services node's credibility into consideration. Trust relationships between users and cloud service nodes are established by mutual trust mechanism. Security problems of access control are solved by implementing MTBAC model into cloud computing environment. Simulation experiments show that MTBAC model can guarantee the interaction between users and cloud service nodes.

Yuding WANG,Jiahai YANG

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2017.26.059

2017-01-01

Abstract:The key cloud computing characteristics,such as data openness,elasticity,and sharing,complicate data access control.Traditional access control models cannot provide flexible,dynamic access control to large numbers of users with massive data files.This paper presents a data access control model based on the data's role and attribute for cloud computing.An attribute element is assigned to the data to provide role-based access control so that users can be assigned roles based on their own attributes and the tenant's attributes and current status,and can access data with different attributes.The paper illustrates the design of this model and the work processes and provides a theoretical security analysis.The results show that the model can provide dynamic,safe,fine grained access control for users accessing data in a cloud environment.

Jing Xu,Tang Jinglei,He Dongjian,Zan Linsen

DOI: https://doi.org/10.1109/icime.2010.5477832

2010-01-01

Abstract:In the paper, we analyze the features of access control of management-type SaaS. Based on the traditional RBAC, we put forward the access control model based on both tenant and role, in which the tenant is as the minimum unit of administrative domain. To be sure user identity with physical security, we put forward the hierarchical authentication and management of user in the management-type SaaS. In order to ensure the access control model of management-type SaaS in line with the reality, we abolish the inheritance right of role in the traditional RBAC. Based on the timing diagram of UML, analyzing the access control model of the cattle public administration platform based on the SaaS, we present its dynamic modeling of access control. Test and analysis is shown that the access control model based on both tenant and role can ensure the accessibility, security and privacy to access cross-domain in the management-type SaaS, and promote the popularization and application of the management-type SaaS.

WANG Jingyu,FENG Lixiao,ZHENG Xuefeng

DOI: https://doi.org/10.11817/j.issn.1672-7207.2015.06.016

2015-01-01

Abstract:A cloud computing attributes-based access control(CC-ABAC) model was proposed to solve the multi-domains access control problem in cloud computing. An attribute-based access control method was utilized to realize the local-domain and cross-domain access decisions in this model. The formal description of model and core decision algorithm were given. A semaphore and P/V operation mechanism was designed to solve the incompatible problem of call and update the attribute list in the inter-domains properties synchronization. The simulation results show that the model not only realizes fine-grained access control, but also reduces the access control decision time and improves decision-making efficiency.

Gansen Zhao,Wen Cong He,HaiYu Wang,Yong Tang,Qiang Yue

2011-01-01

Abstract:An extensive review on existing implementations of IaaS was conducted and the network security requirements of IaaS were identified. A mechanism for dynamic cloud network security was proposed, which is built on top of VLAN, Bridge, Iptables and network virtualization technology. The proposed mechanism is able to dynamically divide the virtual network of an IaaS cloud into several isolated networks, with each isolated network has its network data being confined within its own network perimeter. The dynamics of the isolated networks fits into the need of cloud computing where virtual machines may migrate from one physical machine to another at runtime. The isolation enforces the network security to a level similar to the physical networks where network perimeters are imposed by physical ports. The proposed mechanism enables network security built independent of physical network.

Na ZHOU,Guoyuan LIN,Zhengkui LI

DOI: https://doi.org/10.3969/j.issn.1671-1122.2015.12.004

2015-01-01

Abstract:For the problem of the integrity of information in cloud computing, this paper proposed a multi-level security model for a cloud-based platform. The system is divided into three layers by this model and takes the process of virtual machine as a basic layer. The virtual machines run on the same virtual machine monitor are middle layer. Finally, the virtual machine monitor is the top layer. Through comparing the safety in the bottom-up order, the access control method DIFC-B (Decentralized Information Control Flow Based on Biba and BLP)based on the information lfow control method of a distributed computing environment DIFC (Decentralized Information Flow Control) is proposed, which is raised for the security model. The method divides virtual machines and the processes in virtual machines into different security levels. Then according to the properties of Biba model and BLP model to verify the process between the access and to ensure the integrity and conifdentiality of information when the system is running. Finally, the multi-level security model based on cloud platform is analyzed with noninterference theory, which can show the usefulness of the model.